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(57) Abstract 

The invention relates to a method and anangeooent for 
detecting and/or tracking a non^authorised dient station (11, 20) 
when accessing a Host station (10, 21) in a communicadons 
network (12), which also comprises cainccting deviceis (13-17, 
22-28) in a route between said client station and host station (10, 
21). each dient station (11. 20), host station (10, 21) and at least 
some of said connecting devices (13-17, 22-28) being provided 
with a unique identity, the method comprismg die st^ of 
executing a first verification. The method in case of approved said 
first verification includes further step of route control comprising: 
retrieving the unique Identity of eadi of said devices m said route, 
by propagating an identity inquuy, collecting an identity mqufay 
response message, including die identity of a least each device 
having a unique identity, comparing each unique identity of each 
device and/or station included ui said response message wiflx a 
list of approved identities, and rejecting or accepting tiie access, 
based on the comparison result 
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TITLE 

METHOD AND ARRANGEMENT RELATING TO COMMUNICATIONS SYSTEMS 
TECHNICAL FIELD OF THE INVENTION 

The present invention relates to a method and arrangement for detecting and preferably tracking 
a non-authorised client stations attempt to access a host in a communications network. The 
communication network comprises connection devices at least each having a unique identity. 

The invention also relates to a telecommunications network having a security arrangement. 
DESCRIPTION OF THE RELATED ART 

During recent years, the art of digitalised communications using for example computers, mobile 
phones etc., has changed dramatically. The changes, besides of being an aid for users and 
allowing fester and better communication, have given some people opportunity to use the 
benefits and possibilities of essentially advanced communication means to carry out, more or 
less, criminal acts, such as firaudulence, e.g. by accessing the company or government computer 
networks and retrieving, changing or deleting inforanation, or using telephones, switchboards 
etc. to obtain felonious privileges. 

Internet, the global network for computers and computer networks have also contributed to the 
global communications, by allowing transference of images, voices and other data in a simple 
and inexpensive way. The result is that companies, government offices, universities and so on, 
have connected their networks through Internet to supply the internal and external users with 
relevant infomiation and also to communicate with each other. 

As the Internet is a public network, i.e. everybody having a computer and a communication 
device, such as a modem, may through an Internet Provider Server (IPS) access the Internet and 
communicate vwth others or just retrieve information. Internet is, in a superior manner, the 
festest and most effective way to distribute a large amount of information for a large number of 
people. 



CONFIRMATION COPY 
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The "core" of the Internet includes a very large number of computers, standalone or connected 
in networks, which can exchange information substantially directly using some predetermined 
protocols, especially Transmission Control Protocol/Internet Protocol (TCP/IP). 

Each computer or connecting device in the core is separated from each other by means of an IP 
address. The IP address consists of a network number. In some cases the IP address is 
permanently assigned to a device (computer) in other cases the IP address is assigned to a 
computer temporarily. The IP address provides each connected computer/device a unique 
identity in the network. 

The data transmission may be carried out via, for example fibre-optic lines, satellite links and 
telephone lines. 

At present, obtaining full identification of a client or a user workstation connected or trying to 
connect to a host system is not possible. Also, It is not possible, in a simple and fast v/ay, to 
identify the fraud workstation and thereby the user, even though a partial identification is 
possible. 

When accessing a network, usually a login procedure is executed for authentication of the user. 
The authentication works, by the client first declaring the user name to be used to access the 
network. The service providing server then responds with a set of authentication methods, 
which are acceptable. The client then sends an authentication request, and this dialogue 
continues until an access has been granted or denied. The authentication methods can vary from 
system to system. Some methods are: 

none checks if no authentication is ok, 

passvwrd a conventional password authentication, which requires a password for 
access, 

secureid securelD authentication is a timing-based hardware token 

identification, where the user enters a code displayed on the token as 
authentication. 



Also, on-time passwords and similar methods are available. As other methods public key can be 
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mentioned, in which the possession of a privet key is the authentication. 
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Great efforts are made to develop methods and algorithms to secure the authentication 
procedures, but no system is more secure than the user of the system, as passwords and Iceys 
may come in possession of non authorised persons. In the Intemet case, also the IP addresses 
can be forged which allows accessing the network without problem. 

By forged IP address, it is also possible to attack the Intemet service providers, for example by 
flooding or the like. Floodmg is a method where an unreachable source (IP) address is used 
against a target host computer, which attempts to reserve resources waiting for a response. The 
attacker repeatedly changes the bogus source address on each new access packet sent, thus 
exhausting additional host resources. Then, if the attacker uses some valid address as the source 
address the attacked system responds by sending a large number of reply packages, which at 
end, results in a degraded performance and even system crash. 

U.S. Patent no. 5,619,657 teaches a method for providing security facility for a network of 
management servers utilising a database of trust relations to verify mutual relations between 
management servers. The method relates specially to creating accounts on a system over a 
network. The management operation (MO) also contains the identity of the user lunching the 
operation. Through an interface the MO is transferred to a dispatcher of the management server 
(MS). The MS, in addition to administrating, requests for management services provided by a 
local system is also responsible for routing MGs on secure paths to other local systems in the 
networic and managing the security of the local system. The MS determines a proper link by 
means of a database, which maintains trusted relations between the management servers. The 
trusted relation lists are generated independent from the execution of a communication protocol 
by an autonomous network utility. Each MS contains a list. The lists are divided into two 
categories, trusted receivers and trusted senders. Based on the trusted list, forwarding the 
operations are executed. In summary, the database provides a means for routing MGs from one 
MS to another MS along a secure path determined by the trust relations of the MSs at each link 
in the route in the network performing the MO. 



y/O 99/00720 



4 



PCT/SE98/01257 



SUMMARY 

There is a need for a method and arrangement in communications system, specially in a 
computer network, which provides a simple, effective and straightforward way to increase the 
security. 

There is also a need for a method and arrangement, which allow to detect an unauthorized 
access attempt to a service providing device or the like in a communications system by a user 
station or process, by using substantially available procedures. 

Through implementation of the method and airangement, according to the invention there is 
provided a fest way to trace the position of the fraud user stations. 

Therefore the method accoitiing to the invention, in case of a first approved control of the 
identity of a client station trying to access the network, further comprises steps of: retrieving the 
unique identity of each of said devices in said route, by prop^ating an identity inquiry, 
collecting an identity inquiry response message, including the identity of at least each device 
having a unique identity, sent by each device having an identity and arranged to response, 
comparing each unique identity of each device and/or station included in said response message 
with a list of approved identities, and rejecting or accepting the access, based on the comparison 
result. 

In an advantageous embodiment the first verification includes controlling the client station 
identity and comparing it with a list of approved identities and/or number of accesses made by 
the client station. If the client identity approves and a first time access is detected the method 
further comprises the steps of: retrieving the unique identity of each of said devices in said 
route, arranging a database for said client station for storing the connection route by. and 
including the identity of each device having a unique identity sent by each device having an 
identity and arranged to response in the database. 



It is possible that the identity of each device is collected by propagating an identity requirement 
and collecting the identity requirement response message. Then a list including said identities 
received in said response message is arranged, where the identity list constitutes a route list and 
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the list is compared with a list of an approved route list 
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In an embodiment, the comparison of the client station identity with a list of known approved 
clients, is carried out before the route control, which is possible to cany out after the route 
5 control. 

In the advantageous embodiment, the communications network is a computer network and the 
unique identity is IP address of the client station, host station and at least some of said 
"connecting devices. Preferably, the communications network is Internet. The communications 
1 0 network may also be Interanet/Extranet 

In another embodiment, an alarm signal is generated in case of rejection or a trace procedure in 
is executed. 

15 In an embodiment an error message inquiry is sent to each or all devices, asking for identity 
conflict errors and/or other errors. 

According to the invention a security arrangement is provided for detecting and/or tracking a 
non-authorised user access to a communications network. The network comprises at least one 

20 client station at least one host station and connecting devices in a route between said client 
station and host station, each client station, host station and at least some of said connecting 
devices being provided with a unique identity. The arrangement comprises means for 
communication with said host station, client station and connecting devices, memory units for 
storing information, means for fetching the identity of the client station at login, a comparison 

25 device for comparing the identity of the user with a stored identity list, means to propagate a 
device identity inquiry, means to identify and collect responses to said inquiry including unique 
identities and means to compare said collected identities with a stored list of identities. 

Advantageously, the arrangement is integrated in said host station or separately arranged in a 
30 supervising server. The connection devices may be any one of the routers; infrastructure 
devices such as bridges, terminal servers, gateways, firewalls, repeaters, application servers 
such as DNS (Domain Name System), mailhubs. news servers, FTP (File Transfer Protocol) 
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servers, WWW (World Wide Webb) servers, network management systems and communication 
servers. 

A telecommunications network according to present invention, including a calling unit, one or 
more switching stations and links and a receiving station is characterised by a security 
arrangement for detecting and/or tracking a non-authorised user when connecting speech for 
said calling unit, each of the calling unit, the switching stationsAinks being provided with a 
unique identity. The arrangement further comprising means for collecting identity of each 
calling unit, switching station, upon a request from said arrangement and creating a list for a 
call route, comparing said call route with approved call routes and approving or rejecting the 
call. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The invemion will be further described in the following in a non-limiting way under reference 
to the enclosed drawings in which: 

Fig. 1 is a schematic illustration of a first embodiment of a system implementing the 
invention. 

Fig. 2 is a flowchart, schematically illustrating the function of the embodiment according to 
Fig. I. 

Fig. 3 illustrates another embodiment of the invention. 
DETAILED DESCRIPTION OF THE EMBODIMENTS 

In the following, the invention will be disclosed referring to two non limiting embodiments. 
The first embodiment is based on a computer network using IP addresses (TCP/IP protocol), 
examples of such networics are Internet, intranet/Extranet The second embodiment is a 
telecommunications networic. 

It is assumed that the TCP/IP protocol and IP address structure is known for a skilled person, 
but briefly its operation is based on dividing a message into small packages or datagarms, each 
of which are transmitted individually and collected to the original message at the destimition 
set. This makes it possible for the packages to take a free route if a route is busy. 
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Fig. I illustrates a computer networic including at least one service providing server (SPS) or 
supervising server 10. A user or client stadon (CS) 1 1 can access the SPS 10 through a networic 
12 including one or several connection devices 13 - 17. The SPS lO.CS 11 and substantially 
each connection device is provided with a unique identity, such as an IP address. Furthermore, 
the SPS 1 0 is arranged with a storing means 1 8. The CS 1 1 may also be a member of another 
local network, connected to other computers in the local network by means of network cards in 
a known manner. In this case the connection device 13 may be a router or the like. 

The connection devices and devices having IP address may be any of the: 

* Routers; 

* Infrastructure devices such as bridges, terminal servers, gatevwiys, firewalls, 
repeaters; 

* Application servers such as DNS (Domain Name System), mailhubs, news servers, 
FTP (File Transfer Protocol) servers, WWW (World Wide Webb) servers, networic 

management systems etc.; 

* Peripheral devices, such as printers, printer servers, CD-ROM servers, 

communication servers etc. 

Generally, above-mentioned devices are arranged to return their unique address if a query is 
directed at them. 

The basic idea of the invention will be clear through the following non-limiting operational 
example with reference to the flowchart of fig. 2. 

The client station 1 1 directs 100 an access request to one or several servers 1 0, which also can 
be a security management server. An authentication procedure 101 is then launched by the 
server 10 requiring a password or the like. The reply from the client station is then compared 
with, 102, a list of approved identities stored in tiie database, for example stored in device 1 8 of 
the server 10. If the user name and password are in tiie list the first step of access is approved, 
otherwise the access is rejected 103 in a known way. The server 10 may only check the IP 
address of the CS 1 1, and use die IP address for furtiier authentication process. 
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If the first step of access is approved, the authentication procedure checks 1 04, if it is the first 
time for a client station accessing the server (system). If it is first time access, a new database 
for the client is built 105. Then the procedure propagates a query on the network, directed to 
each 106 device 13-17 or all 107 devices 13-17 in the route, through which the communication 
between the server 10 and the client station 1 1 is established. The query asks for the identity (IP 
address) of each connection device 13-17 in the route. If a device is provided with an identity, 
at receiving the identity query, it transmits back the identity. The identities received by the 
server are then collected and stored 108 in the database. Then, as this being the first access, the 
client station is allowed to access 109 the network (services). 

At step 104, if it is dedicated that it is not the first access of the client station, a database 
including data about the client station or dedicated to the client station, including for instance 
the identities of the connection devices collected by means of a procedure according to previous 
section, is opened. Then, the procedure propagates a query on the network, directed to each 1 1 1 
device 1 3-1 7 or all 1 12 devices 13-17 in the route, through which the communication between 
the server 10 and the client station 1 1 is established. The queiy asks for the identity (IP address) 
of each connection device in the route. If a device is provided with an identity, at receiving the 
identity query, it transmits back its identity. The identities received by the server are then 
collected and compared 1 13 with the list of identities in the database. If the lists of identities 
confirm, the access is accepted 1 09. Otherwise, an alarm is generated 1 14. As the identity of 
each connection device corresponding to a physical site is retrieved, it is possible to trace 1 14 
the physical location of the client station, even though the user name, password and the IP 
address are forged. 

Moreover, it is possible to control attempts to build a false rout or change the IP addresses 
without permission. The arrangement can transmit a query, asking the connection devices for 
any identity conflicts or any error messages related to identity problems. If an identity conflict 
or error message is detected, then the system may report the detection to a system operator and 
ask for a manual sanction. 



Controlling the first time access is, for example carried out by inspecting a corresponding 
database for existence of the client station identity (e.g. user name or IP address). In some 
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cases, the identities in the route can vary, for example when a connection device having 
permanent identity is replaced or the message takes another route. In these cases, it is possible 
to add the new identity route into the database, preferably after a double check that the client 
station is operated by an authorized client It is also possible to arrange the connection devices 
to report the replacement to a controlling database, whereby the server can check for possible 
changes. Experiments have shown that the datagrams in a TCP/IP based network, substantially 
take always the same route. 

It is also possible to execute the first authentication procedure 102, asking for user-name and 
password, after step of route approvals 108 or 1 13. 

The queries for identities of the devices may be executed using existing procedures or special 
procedures. It is possible to send an "echo request" in form of a data packet to a remote host and 
wait for each echo reply from each device. Using a traceroute ftinction the server can trace and 
register the actual route that an IP packet follows to a network, Internet or intranet host. The 
function "finger" remms the users logged on to remote systems. It is also possible to send a 
message which returns the entry ftom a remote registry and information about domains 
(WHOIS). It is also possible to use net scanning ftmctions, preferably over a specified range of 
IP addresses, for example by pinging each one. which also returns the names and adding them 
to the possible host files. 

Using the premises of the invention, to avoid a flooding attack, a server may control the route to 
the origin of the (forged) IP address and take a proper action if needed, and thereby avoid 
unnecessary ACK/REQ transmissions, which degrades the performance of the system. 

It is also possible to arrange the devices not having IP addresses with other unique identities, 
which can be stored in the route database of the server. 

Fig. 3 shows a telecommunications system employing the method according to the invention. 
The system includes a calling unit 20, a receiving unit 2 1 and connecting devices, which can be 
one or several of base stations 22, switch boards 23, 28. links 24, satellite relays 25, 27 and 
satellites 26. Preferably, each of the devices 20-28 are provided with a unique identity. When a 
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call is switched, preferably the base statioQ 28 or the receiving unit 21 is arranged with a 
database including the call route for a call from each authorised calling unit 20. Particularly, in 
a digitalised network, each device can be arranged to, automatically or on request, add its 
identity to a message to the base station 28 or the receiving unit 2 1 . Using the received list of 
5 the devices in the route, the base station 28 or the receiving unit 2 1 can decide to allow or not 
allow the call. This embodiment may be applied to any telecommunications system, 
components of which have or can be provided with identities, such as GSM, NMT etc. 

This system could particularly be useful, for example for security calls, banking transactions 
10 etc. 

The invention is not limited to the illustrated embodiments but can be varied in a number of 
ways without departing from the scope of the appended claims and the arrangement and the 
method can be implemented in various ways depending on application, functional units, needs 
15 and requirements etc. 
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CLAIMS 

1. A method for detecting and/or tracking a non-authorised client station (1 1, 20) when 
accessing a host station (10, 21) in a communications network (12), which also comprises 
connecting devices (13-17, 22-28) in a route between said client station and host station (10, 
21), each client station (11, 20), host station (10, 21) and at least some of said connecting 
devices (13-17, 22-28) being provided with a unique identity, the method comprising the steps 
of executing a first verification, 

characterised in, 

that the method, in case of approved said first verification includes further step of route control 
comprising: 

- retrieving the unique identity of each of said devices in said route, by propagating 
an identity inquiry, 

. collecting an identity inquiry response message, including the identity of at least 
each device having a unique identity, 

- comparing each unique identity of each device and/or station included in said 
response message with a list of approved identities, and 

. rejecting or accepting the access, based on the comparison result. 

2. The method according to claim I, 
characterised in, 

that said fim verification includes controlling the client station (1 1, 20) identity and comparing 
it with a list of approved identities. 

3. The method according to claim 1 or 2, 
characterised in, 

that said first verification includes controlling number of accesses made by the client station 
(11,20). 

4. The method according to claim 3, 

characterised in, 

that if the client identity approves and a first time access is detected the method fiirther 
comprises the steps of: 



wo 99/00720 PCT/SE98/01257 

12 

retrieving the unique identity of each of said devices (13-17, 22-28) in said route 
arranging a database for said client station for storing the connection route by, and 
including the identity of each device (13-17, 22-28) having a unique identity sent by 
each device having an identity and arranged to response in the database. 

5 

5. The method according to claim 4, 
characterised in, 

that the identity of each device is collected by propagating an identity requirement and 
collecting the identity requirement response message. 

10 

6. The method according to claim 4, 
characterised by, 

arranging a list including said identities received in said response message, said identity list 
constituting a route list and comparing said list with a list of approved route list. 

15 

7. The method according to claim 2, 
characterised in, 

that said comparison of the client station identity by a list of known approved clients, is carried 
out before the route control. 

20 

8. The method according to claim 2, 
characterised in, 

that said comparison of the client station identity by a list of known approved clients, is carried 
out after the route control. 

25 

9. The method according any one of claims I - 8, 
characterised in, 

that said communications network is a computer network (12). 



30 



10. The method according claim 9, 
characterised in, 

that said unique identity is IP address of the client station (II), host station ( 1 1 ) and at least 
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some of said connecting devices (13-18). 

1 1. The method according to claim 9 or 10, 
characterised in, 

. 5 that said communications network is Internet. 

12. The method according to claim 9 or 10, 
characterised in, 

that said communications network is an Interanet/Extranet. 

10 

13. The method according to any one of claims 1-12, 
characterised by, 

generating an alarm signal in case of rejection. 

15 14. The method according to any one of claims 1-13, 

characterised by, 

executing a trace procedure in case of rejection. 

15. The method according to claim 1, 
20 characterised in, 

that an error message inquiry is send to each or all devices, asking for identity conflict errors 

and/or other errors. 

16. The method according to claim 1, 
25 characterised by, 

denying access in case of a failure first verification. 

1 7. A security arrangement for detecting and/or tracking a non-authorised user access to a 
communications network (12), which comprises at least one client station (1 1), at least one host 

30 station ( 1 0) and connecting devices ( 1 3- 1 7) in a route between said client station and host 
station, each client station, host station and at least some of said connecting devices being 
provided with a unique identity. 
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characterised in, 

that the arrangement comprises means for communication between said host station, client 
station and connecting devices, memory units for storing information and instructions, means 
for fetching the identity of the client station at login, means for comparing the identity of the 
5 user with a stored identity list, means to propagate a device identity inquiry, means to identify 
and collect responses to said inquiry including unique identities and means to compare said 
collected identities with a stored list of identities. 

18. The arrangement according to claim 17, 
1 0 characterised in, 

that the arrangement is integrated in said host station (10). 

19. The arrangement according to claim 17, 
characterised in, 

1 5 that the arrangement is separately arranged in a supervising server. 

20. The arrangement according to any one of claims 17-19, 

characterised in, 

that the route list is automatically updated. 

20 

21. The arrangement according to any one of claims 17-20, 
characterised in, 

that the connection devices are any one of routers; infrastructure devices such as bridges, 
terminal servers, gateways, firewalls, repeaters, application servers such as DNS (Domain 
25 Name System), mailhubs, news servers, FTP (File Transfer Protocol) servers, WWW (World 
Wide Webb) servers, ne^vork management systems and communication servers. 

22. A telecommunications network including a calling unit (20), one or more switching stations 
and links (22-28) and a receiving station (21), 

30 characterised by, 

a security arrangement for detecting and/or tracking a non-authorised user when connecting 
speech for said calling unit (20), each of the calling unit (20), the switching stations/links (22- 
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28) being provided with a unique identity, 

said anangement further comprising means for coUecting identity of each calling unit (20), 
switching station (22-28), upon a request from said anangement and creating a list for a call 
route, comparing said call route with approved call routes and approving or rejecting the call. 
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